Re: Token based OTP: SafeWord or SecurID?

["Michael H. Warfield" <mhw () wittsend com>]

On Sat, Dec 09, 2000 at 04:15:09PM -0800, Ryan Russell wrote:
> On Sat, 9 Dec 2000, Michael H. Warfield wrote:

> > file" (the Network Administrator here is throughly PISSED that I, of all
> > people, have the ability to use SecureID without one of his precious
> > dongles and has not given me a key file, yet.)

> >     BTW...  We have had abysmal luck with the SecureID keyfobs.  I've
> > never even used mine and I looked at it one day and the LCD was gibberish.

> I used to administer a decent sized userbase of a Safeword tokens.  If one
> of them went nuts (about 1 in 100) we'd give them a new one.

        And in the mean time, while they wait for IS, they are down.
Typical IS mentality.

> > I asked said Admin if I needed to stroke the tomaguci more often to keep
> > it happy.  He failed to see the humor.  That's WHY I want the key file to
> > activate my SecureID calculator on my Palm Pilot.  That's also WHY he's
> > so pissy about it.  He hates to feel like he had to give in because the
> > damn things are unreliable.

> I wouldn't allow my users to use soft tokens either.  That's because on a
> general computing platform like the Palm, it's much, much easier to steal
> the key without you knowing about it.  With the hardware tokens, the
> attacker has to get it away from you long enough to crack the case, and
> attach leads to the right pins, etc... If you left your Palm alone long
> enough (and hadn't taken appropriate measures to precent this) then it
> would only take me <60 seconds to "dock" it, or beam the keyfile to my
> Palm.

        Which would get you nowhere.

        My palm is a multifunction device which I use daily and keep with
me constantly.  I would know in short order if it were missing.  The
SecureID dongle might get used once in a blue moon, because it's only
good for that one purpose.  It could "go a walkabout" and I wouldn't
know it was missing till the next time I needed it.  That could be
weeks or even months.  Even then, I couldn't be sure it I had merely
misplaced it AGAIN or it had "grown legs with assistance".  If I compare
the times when I set my keys down for hours vs the times when I misplace
that PDA, I'm much more comfortable with the PDA solution.  If I compare
the times I've seen someone's keys sitting on a desk (with them not around)
vs the times I've seen a PDA sitting on a desk, I'm more comfortable with
the PDA solution.

        My palm pilot is access protected.  You couldn't dock it and
get squat.  Most people aren't so diligent, I will grant you that much.
They should be.

        You already mentioned that someone who was prepared, could
grab the token card and read it out.  If I were going to do something like
that, I would have a socket already prepared and it only takes a second
to peel off that little cover and drop it in place.  With the right
equipment (pretested and operational) that would take LESS time than
docking and syncing up a palm pilot that was NOT crypto protected.
It WOULD take more preparation in advance (or maybe not, you have to have
a station to sync the palm pilot to) but once you are prepared, you could
hit as many as you want.  All you then need are the corresponding PINS.
NOTE:  I really don't know how difficult it would be to design or assemble
a "pirate socket" for the fobs.  I'm presuming that it shouldn't be too
difficult, given access to the regular devices.  It might be...  Maybe
they are crypto protected like a smart card.  It would make sense to
do it that way where you could load the key but NEVER read the key.
Is this the way the fobs work?  I don't know.  I wouldn't trust any
system based on the serial number of the token or on a key which could
be read out of the token, however.

        The SecureID app is password protected.  You could shoulder
surf the keyfob or even glance at it sitting on the desk.  You then
have 60 seconds to attack.  I've known some guys (hell, some of them
work with me) who can remember those kinds of numbers at a glance.
They really are that good and really can do it.

        So there are two levels of security passwords on the PDA (one
for the access crypto and one on the Palm app itself), before you even
get to the token screen, security which simply does NOT exist with the
exposed and constantly viewable fob.  The keyfob is much easier to
misplace (I certainly don't need another chunk of plastic dangling from
my keychain that I rarely use - and I have seen them break as well).

        The SecureID PIN is sent to the server, typically over an
unencrypted channel (forcing logins through https or something similar
is not always an option) so the PIN can be compromised.

        I consider the keyfob / credit card tokens a far greater
security risk than someone scarfing my palm pilot.

        I'm also at far less of a DoS risk from IS when a fob goes tits up.

>                                       Ryan

        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards